RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1159704 - Evolution 3.10.4 not able to use TLSv1 or higher (only SSLv3)
Summary: Evolution 3.10.4 not able to use TLSv1 or higher (only SSLv3)
Keywords:
Status: CLOSED DUPLICATE of bug 1153723
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: evolution
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Matthew Barnes
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On: 1153052
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-03 04:31 UTC by Murray McAllister
Modified: 2015-01-04 22:42 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 1153052
Environment:
Last Closed: 2014-11-03 08:09:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Murray McAllister 2014-11-03 04:31:45 UTC 
Is the below something that should be fixed in Red Hat Enterprise Linux 6 and 7 too?

+++ This bug was initially created as a clone of Bug #1153052 +++

Description of problem:
Evolution in the default configuration is not able to use TLSv1 or higher for SSL connections, it only allows SSLv3 connections.

After the Poodle attack has been discovered [https://www.openssl.org/~bodo/ssl-poodle.pdf], SSLv3 can't can considered as secure anymore and TLS is *required*.

Steps to Reproduce:
1. Try to connect to a server that doesn't allow SSLv3.
2. Evolution can't connect: "Cannot communicate securely with peer: no common encryption algorithm(s)."

May be related to: https://bugzilla.redhat.com/show_bug.cgi?id=1091544

--- Additional comment from Milan Crha on 2014-10-16 03:21:04 EDT ---

Thanks for a bug report. This patch should make it work. There is an option to enable only TLS, when STARTTLS is used, but that requires (for IMAP) to have the STARTTLS supported by the IMAP server, whci is not always true. I do not know how much correct this change is, though. In any case, here [1] is a test package with it included. Give it a try, please.

[1] http://koji.fedoraproject.org/koji/taskinfo?taskID=7879901

--- Additional comment from RH on 2014-10-16 03:50:35 EDT ---

In case it matters: In my case, I don't use STARTTLS but only SSL/TLS over a dedicated port (because our server doesn't support unencrypted IMAP at all).

However, I think that it shouldn't make a difference for SSL/TLS negotiation whether you use STARTTLS or SSL/TLS over a dedicated port.

--- Additional comment from Kai Engert (on vacation) (:kaie) on 2014-10-16 06:26:58 EDT ---

Yes, "always use SSL on a decidated port" should mean:
"always use SSL/TLS (without starttls), but support both SSL/TLS, and prefer the most recent one"

--- Additional comment from Matthew Barnes on 2014-10-16 10:27:07 EDT ---



--- Additional comment from Milan Crha on 2014-10-16 11:28:12 EDT ---

This is a bit more complicated version of the previous patch, which enables all available SSL/TLS algorithms available in the current NSS version (for NSS 3.14+). I'm using that for the official update, which will fix error message like:

   Could not connect to 'server:993': Cannot communicate securely with peer:
   no common encryption algorithm(s).

when a server has disabled SSLv3.

--- Additional comment from Fedora Update System on 2014-10-16 12:27:15 EDT ---

evolution-data-server-3.10.4-6.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/evolution-data-server-3.10.4-6.fc20

--- Additional comment from Fedora Update System on 2014-10-17 04:40:29 EDT ---

Package evolution-data-server-3.10.4-6.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing evolution-data-server-3.10.4-6.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13050/evolution-data-server-3.10.4-6.fc20
then log in and leave karma (feedback).

--- Additional comment from Fedora Update System on 2014-10-19 09:20:58 EDT ---

evolution-data-server-3.10.4-6.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

--- Additional comment from RH on 2014-10-19 11:14:07 EDT ---

Works for me, thanks!
Comment 2 Milan Crha 2014-11-03 08:09:26 UTC 
(In reply to Murray McAllister from comment #0)
> Is the below something that should be fixed in Red Hat Enterprise Linux 6
> and 7 too?

No and yes, see below.

*** This bug has been marked as a duplicate of bug 1153723 ***
Note You need to log in before you can comment on or make changes to this bug.